Hacker News new | past | comments | ask | show | jobs | submit login

Because it's stored in a database. If an attacker has access to the database with the hashed passwords she will likely have access to the database with the salt too.



but only the second salt is stored in a database, the first salt is stored under WWW-Root.


It's still there on the server, if the attacker has her hands on the database you have to assume that the entire server might be compromised


What is the best way to secure passwords?


You need to assume that the attacker will have access to anything on the server. So first thing is clearly no plain text passwords but hash only. Second thing is make as hard as possible for the attacker to decode the hash. One salt helps preventing use of rainbow tables but more salt is useless since the attacker has them. So you are left with choosing a hard algorithm to crack and currently the best one is bcrypt which is already implemented in most programming language for you.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: